Data protection and employment practice (2)
In this series of guidance notes on Data Protection, we are looking afresh at the legal regime created by the Data Protection Act 1998 in the light of the Information Commissioner's Legal Guidance, the statutory instruments that have been passed since the DPA came into force, and the Employment Practices Data Protection Code of Practice.
In Part 1 we considered the key definitions that dictate the scope of the Data Protection Act 1998 ("the DPA") and the nature of its requirements, and the eight Data Protection Principles that form the backbone of the data protection regime. In this part, we continue with an examination of the rights available to data subjects under the DPA, the exceptions, exemptions and defences available to data controllers and the Commissioner's powers and duties, including the notification regime and the ways in which breaches of the DPA are dealt with. Part 3 will focus on the new Employment Practices Data Protection Code of Practice: Recruitment and Selection. The Code is to be published in four separate parts over the next few months and we will cover the other three parts as and when they are released.
Rights for data subjects
A data subject is the individual who is the subject of personal data. For our purposes, he or she is described as a "worker". The definition of "worker" is given in the Code of Practice. It encompasses any individual who might wish to work, who works or who has worked for an employer. This includes successful and unsuccessful job applicants and former job applicants, and current and former employees, agency workers, casual workers and contract workers. It may also extend to volunteers and work experience placements in the workplace.
In respect of personal data that others hold about them, data subjects have the following rights under the DPA:
(1) The right of subject access (ss.7 and 8);
(2) The right to prevent processing likely to cause damage or distress (s.10);
(3) Rights in relation to automated decision-taking (s.12);
(4) The right to seek compensation if he or she suffers damage by any breach of the DPA by a data controller (s.13); and
(5) The right to take action to rectify, block, erase or destroy inaccurate data (ss.14 and 12A).
Right of subject access
An individual who has made a written request (including transmission by electronic means), and paid the appropriate fee to a data controller, is:
Entitled to be told by the data controller whether they or someone else on their behalf is processing that individual's personal data. If so, the individual is entitled to a description of the personal data, the purposes for which they are being processed and those to whom the data are, or may be, disclosed.
The individual is also entitled to have communicated to him or her in an intelligible form all the information that constitutes any such personal data, supplied in permanent form by way of a copy. Where this would be impossible or would involve disproportionate effort, the data subject may agree to some other form.
Any information that is not intelligible without explanation must be supplied to the data subject with the necessary explanation. For example, information held in coded form should be supplied with the key to the code. Any other information available to the data controller as to the source of the data must also be supplied.
Where personal data is processed by fully automated means, for the purpose of evaluating matters such as an individual's performance at work, reliability or conduct, and that automated process constitutes or is likely to constitute the sole basis of any decision significantly affecting the individual, he or she is entitled to be told of the logic involved in the process. There is, however, no such obligation where this information involves a trade secret. A specific request must be made by the data subject for this information under the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (SI No.191) ("the Subject Access Regulations").
Data controllers and subject access rights
A data controller may charge a fee for dealing with subject access. The current maximum fee chargeable is £10. Details of this and other fees can be found in the Subject Access Regulations or on the Information Commissioner's website.
A data controller must comply with a subject access request promptly, that is, "as quickly as it can", and in any event within 40 days of receipt of the request (beginning with the day on which the request was received) or, if later, within 40 days of receipt of (a) the information required to satisfy itself as to the identity of the person making the request, to enable it to locate the information which that person seeks; and (b) the fee.
A data controller need not comply with a request that is not in permanent form, or is not accompanied by the prescribed fee and, if necessary, the information referred to in the point above. However, the Commissioner advises that a data controller should act promptly in such circumstances in requesting the fee or other information necessary to fulfil the request. Deliberate delay in doing this might result in the Commissioner making an adverse assessment of a data controller where it results in the response to the subject access request being provided after the 40-day time limit.
By virtue of an amendment to s.7 of the DPA (by para. 1 of Schedule 6 to the Freedom of Information Act 2000 ("the FoIA")), a data controller is not obliged to comply with a subject access request where it has reasonably required further information to satisfy itself as to the identity of the person making the request and to locate the information sought, and has informed him or her of that requirement, but has not been supplied with that further information. Note that the amendment is silent as to where the data subject may have failed to provide the fee.
A data controller need not comply with a request where it has already complied with an identical or similar request by the same individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request. What amounts to a reasonable interval will be decided by the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.
A data controller must ensure that the information given in response to a subject access request is all that which is contained in the personal data at the time the request is received. Routine amendments to, and deletions of, the data may continue between the date of the request and the date of the reply and, to this extent, it does not matter if the information supplied in response to the request differs from that held at the time the request was received, even to the extent that data are no longer held. But, having received a request, the data controller must not make any special amendments or deletions that would not otherwise have been made - that is, the information must not be tampered with to make it more acceptable to the data subject.
Disclosures relating to the physical or mental health or condition of the data subject must not be made unless the data controller is itself a health professional (as defined in The Data Protection (Subject Access Modification) (Health) Order 2000 (SI No.413)), or it has consulted the appropriate health professional (also defined). Disclosure of this information must not be made at all where the data controller has, within the previous six months, received a written opinion from the appropriate health professional to the effect that an exemption to the right of subject access applies because the disclosure is likely to cause serious harm to the physical or mental health of the data subject or any other person. If it intends to rely on such an opinion, the data controller must consider whether it is reasonable in all the circumstances to consult the health professional again. No exemption to the right of subject access will apply where the request relates to information that the data controller is satisfied has previously been seen by the data subject or is already within the knowledge of the data subject.
In seeking to establish the identity of the person making the request, a data controller must first consider whether accidental disclosure of information to a person other than the data subject would or would not be likely to cause damage or distress to the data subject. In the latter situation, the data controller may rely upon the individual's usual signature as proof of identity and send the information to an address known to it as being the address of the person making the request. Where accidental disclosure would be likely to cause damage or distress to the real data subject, the data controller may reasonably require better proof. This might consist of the following: asking the individual to give information that has been recorded as personal data by the data controller and which the individual might be expected to know; asking the individual to have their signature witnessed by another person who is over 18 and is not a relative; or asking the individual to produce a document that might reasonably be expected to be in the real data subject's possession only.
A data controller need not comply with a subject access request where to do so would disclose information relating to someone other than the data subject who can be identified from that information, including where the information enables that other individual to be identified as the source. However, the data controller may make such disclosure where the other individual has given his or her consent, or where it is reasonable in all the circumstances to comply with the request without such consent. Obvious examples include the disclosure of references, reports and appraisals where these identify the author.
A decision as to whether it is reasonable in all the circumstances to comply with a request without such consent must take account of: any duty of confidentiality owed to the other individual; any steps taken by the data controller with a view to seeking the consent of the other individual; whether the other individual is capable of giving consent; and any express refusal of consent by the other individual.
A data controller must consider whether the data subject will be able to identify the other individual from the information, taking into account any other information that it reasonably believes is likely to be in, or to come into, the possession of the data subject. If there is no such likelihood, the data controller must provide the information. If the data controller can protect the identity of the other individual by deleting actual names, it must provide the information amended in this way.
Exemptions from subject access provisions
A data controller does not have to comply with a subject access request in the following specified circumstances (Schedule 7).
References
Personal data that consist of a confidential reference given, or to be given, by the data controller for specified purposes (education, training or employment, appointment to office or provision of any service) are exempt from subject access.
The Commissioner interprets this exemption narrowly to exclude the data controller in receipt of such references. In her view, whereas an employee cannot make a subject access request to the employer providing the reference, he or she will be able to make that request to the employer receiving the reference. This means that a reference is protected from subject access only up until it has been received by the recipient, after which there is no automatic exemption and the usual subject access rules will apply.
Civil service appointments
The Data Protection (Crown Appointments) Order 2000 (SI No.416) exempts from the "subject information provisions" any personal data processed for the purposes of assessing a person's suitability for a Crown or ministerial appointment. The subject information provisions encompass both the subject access provisions and the fair processing information under the First Data Protection Principle.
Management forecasting and planning
Also exempt from the subject information provisions are personal data processed for the purposes of management forecasting or management planning, but this is only to the extent that the application of the subject information provisions would be likely to prejudice the conduct of the business or other activity of the data controller. This is to allow businesses to plan certain of their future management activities, such as staff allocation, on a fully confidential and discretionary basis.
Negotiations
Personal data consisting of records of the intentions of the data controller in relation to any negotiations with the data subject are exempt from the subject information provisions to the extent to which the application of those provisions would be likely to prejudice those negotiations. This covers, for example, the situation where an organisation is in dispute with a former employee and records a potential settlement figure for the purpose of the organisation's own budget forecasting. If the figure was disclosed to the former employee, it might prejudice negotiations between the parties.
Enforcement of subject access provisions
A data subject may apply for a court order requiring a data controller to comply with a subject access request (s.7(9)). If a data controller seeks to rely on any of the exemptions listed above, it will be for the court to decide whether the relevant criteria are met.
An individual will also be able to ask the Information Commissioner to make an "assessment" (see below).
Right to prevent processing causing damage or distress
An individual who believes that a data controller is processing personal data about him or her in a way that causes, or is likely to cause, substantial unwarranted damage or substantial unwarranted distress to him or her or to another, may send a notice (the "data subject notice") to the data controller requiring it to stop the processing within a reasonable time (s.10). This right applies to processing taking place at all, to processing for a particular purpose, or to processing taking place in a particular way.
Within 21 days of receiving the data subject notice, the data controller must give the individual a written notice stating either that it has complied with the notice or intends to do so, or the extent to which it intends to comply with the notice (if at all), and explaining the parts of the notice it considers unjustified in any way. It is for the court to decide in each case what amounts to "substantial unwarranted" damage or distress.
The data subject must specify his or her reasons for believing that the processing has or will have the effect of substantial unwarranted damage or distress. The Commissioner's view is that a data subject notice is likely to be appropriate only where the particular processing has caused, or is likely to cause, someone to suffer "loss or harm or upset and anguish of a real nature over and above annoyance level and without justification".
Exceptions to s.10 rights
An individual is not entitled to serve a notice under the following circumstances:
if he or she has given a valid consent to the processing (although such consent may be withdrawn);
the processing is necessary for the taking of steps, at the data subject's request, with a view to entering into a contract, or the processing is necessary for the performance of a contract to which the data subject is a party;
the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract; or
the processing is necessary to protect the individual's vital interests (life or death situation).
Enforcement of s.10 rights
An individual may seek a court order requesting a data controller who has failed to comply with a data subject notice to comply with it (s.10(4)). The court may make this order if the request appears to it justified, or justified to any extent.
An individual may also ask the Information Commissioner to make an "assessment".
Rights in relation to automateddecision-taking
An individual may, by written notice, require a data controller to ensure that no decision that significantly affects him or her is based solely on the processing by automatic means of personal data of which that individual is the data subject (s.12). This specifically includes evaluating the data subject's performance at work, and his or her reliability or conduct.
Even if a notice of this kind is not served, but such a decision is made, the data controller must notify the individual that the decision was taken on that basis as soon as reasonably practicable. Within 21 days of receiving this notification, the individual may respond with a written "data subject notice" requiring the data controller to reconsider the decision, or to take a new decision otherwise than by a solely automated process. Within 21 days of receiving this, the data controller must give the individual a written notice specifying the steps it intends to take to comply with the data subject notice.
Exemptions from s.12 rights
The DPA specifies a number of "exempt decisions" to which the above right does not apply (s.12(5)-(7)). An exempt decision is:
a decision taken as part of the steps for the purpose of considering whether to enter into a contract with the data subject, with a view to entering into such a contract, or in the course of performing such a contract; or
a decision authorized or required by or under any enactment; and
where the effect of the decision is to grant a request of the data subject; or
steps have been taken to safeguard the data subject's legitimate interests (for example, by allowing him or her to make representations).
Further categories of exempt decisions may be prescribed by Regulations, but the secretary of state has as yet made no such order.
Therefore, the s.12 right will not apply in respect of a purely automated decision taken in relation to a contract or potential contract (including a contract of employment) between the data controller and the data subject that is favourable to the data subject. Neither will the right apply in circumstances where the decision goes against the data subject but he or she is provided with certain rights of review.
An example of how these provisions might apply in the employment context would be where a job applicant completes a standard application form or aptitude test that is then subjected to a preliminary computerised scan for certain requirements. If that process did not eliminate the applicant at that stage, the employer would not be under a duty to notify him or her that the process took place in the way it did (and any objection notice served in advance by the candidate would be of no effect). If, however, the candidate was rejected at that stage, and the employer's procedures did not provide any further comeback on that decision, the candidate would have to be notified about the automatic decision-making process. He or she could then serve a data subject notice asking for the decision to be reconsidered. On the other hand, if the employer provided some right of review against that decision in any event, then there would appear to be no need for the candidate to receive a separate notification.
Enforcement of s.12 rights
A data subject may apply for a court order requiring a data controller who has failed to comply with a general objection notice or a data subject notice issued under s.12 to reconsider the decision, or to take a new decision not based solely on an automated process (s.12(8)).
The individual may also ask the Information Commissioner to make an "assessment".
Right to compensation
An individual who suffers damage, or damage and distress, as the result of any contravention of the DPA's requirements by a data controller, is entitled to compensation. "Damage" includes financial loss or physical injury. Compensation is not normally payable for distress alone (unless the processing is for journalism, artistic or literary purposes) and damage must be established as well. However, if the employee proves damage has been suffered, the court may award compensation for any distress that has also been suffered as a result of the breach of the DPA.
There is a defence available to the data controller who can establish that it took such care as was reasonably required in all the circumstances to comply with the requirement concerned.
Payment of compensation may be negotiated between the data controller and the data subject. Otherwise the data subject may apply to the court for compensation alone or compensation combined with an application in respect of any breach of the DPA.
The amount of compensation awarded is at the discretion of the court. Factors that will be considered include the seriousness of the breach and the effect upon the claimant, particularly when considering damages for distress.
Note that the right to compensation covers any basic failure to comply with the data protection principles, and is not limited, as under the 1984 Act, to damage or distress caused by inaccuracy, loss or unauthorised disclosure or destruction of data.
Right to rectify, block, erase or destroy inaccurate data
Inaccurate data is data that is incorrect or misleading as to any matter of fact. A data subject may apply to a court for an order requiring the data controller to rectify, block, erase or destroy inaccurate data relating to him or her, together with any other personal data relating to him or her that contain an expression of opinion based on the inaccurate data. A court might itself make this order where, on the application of the data subject, it is satisfied that he or she suffered damage as a result of a breach of the DPA that entitles him or her to compensation under s.13, and that there is a substantial risk that there will be a further breach of the Act.
In either case, the court might order the data controller to notify third parties to whom the data have been disclosed of the rectification etc where it considers it reasonably practicable to do so. Reasonable practicability will be decided having regard, in particular, to the number of persons who have to be notified.
This right applies even where data is incorrect but accurately records information given to the data controller by the data subject or a third party. However, the court may, in these circumstances, consider whether the requirements of the Fourth Data Protection Principle (that data must be accurate and up to date) have been complied with. Where this is the case, the court may alternatively order that the data be supplemented by a court-approved statement of the true facts. If the requirements of the Fourth Principle have not been complied with, the court may make such order as it sees fit, and compensation may be awarded if the data subject has suffered damage, or damage and distress, as a result.
Dealing with inaccuracy in exempt manual data
Exempt manual data, for our purposes, are health records that were subject to "processing already under way" immediately before 24 October 1998. During the first transitional period (from1 March 2000 until 23 October 2001) and the second transitional period (from 24 October 2001 until 23 October 2007) such data are, by virtue of s.12A, subject to specific rights of rectification etc where they are inaccurate or incomplete. Section 12A was inserted into the DPA as from 1 March 2000 and will cease to have effect on 23 October 2007. It provides that a data subject may serve a notice in writing on a data controller requiring it to rectify, block, erase or destroy exempt manual data that are inaccurate or incomplete, or to cease holding such data in a way incompatible with the legitimate purposes of the data controller. Incomplete data is data that would constitute a breach of the Third and Fourth Principles ("adequate", "relevant", "not excessive", "accurate" and "up to date") if those Principles were applied to them. If the data controller fails to comply with the data subject's notice, he or she may apply for a court order that the data controller take such steps to comply as the court thinks fit.
Other exemptions under the DPA
By virtue of s.35(1) and (2) of the DPA, personal data are exempt from the "non-disclosure provisions" where the disclosure is required by or under any enactment, by any rule of law or by the order of a court. Personal data are also exempt from the non-disclosure provisions where the disclosure is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings); or for the purpose of obtaining legal advice; or is otherwise necessary for the purpose of establishing, exercising or defending legal rights.
The non-disclosure provisions are defined as:
the First Data Protection Principle, except where it requires compliance with the Schedule 2 and 3 conditions for processing personal and sensitive data;
the Second to Fifth Data Protection Principles;
the right to prevent processing likely to cause damage or distress; and
the right to rectify etc to the extent to which this is inconsistent with the disclosure in question.
Exemption from the non-disclosure provisions is available in circumstances where the DPA recognises that the public interest requires disclosure of personal data which may otherwise be in breach of the Act. Where the exemption applies, such disclosure would not then breach the Act. A data controller must be satisfied first that the disclosure falls within s.35(1) or (2) and, if so, it must consider each of the non-disclosure provisions above in turn and decide if any of them would be inconsistent with the disclosure in question. If any of them would give rise to an inconsistency, the data controller may disapply them to the extent of that inconsistency.
The Commissioner's view is that an element of fairness can still be applied even though the existence of a legal obligation under s.35 overrides any objection of the data subject. This would be the case, for example, where the data controller is aware, at the time it collects the data, that it is likely, at some point in the future, to have to make disclosures of those data under statute. It should notify data subjects at the time the data are collected that such disclosure is likely.
With regard to s.35(2), the Commissioner's view is that, in many cases, the data controller will not be in a position to make a decision as to whether the "necessity test" can be met, or will not wish to make the disclosure because of its relationship with the data subject, and so the requesting party will have to rely on a court order to obtain the information.
Commissioner's powers and duties
The Commissioner's powers and duties under the DPA include the following:
promoting good practice by data controllers, in particular, the observance of the DPA's requirements;
publishing information on the DPA and its workings;
developing Codes of Practice;
maintaining a register of data controllers who are required to notify their processing; and
prosecuting persons in respect of offences committed under the DPA.
The Commissioner enjoys important law enforcement roles, including the serving of "information notices" and "enforcement notices" (see below). Her powers in these respects extend to all data controllers, whether or not they are registered or required to register with her.
Requests for assessment
As we have seen, data subjects may go directly to court to seek, for example, subject access, compensation, or rectification etc of inaccurate data. In addition, they may complain to the Information Commissioner if they believe that the Data Protection Principles are not being complied with. The Commissioner may, and in some cases, must, investigate such complaints. The procedure for doing so is by a request for an assessment under s.42 of the DPA.
A request for assessment may be made by any person who is, or believes himself or herself to be, directly affected by any processing of personal data. The request is for the Commissioner to make an assessment as to whether it is likely or unlikely that the processing has been, or is being, carried out in compliance with the DPA. The only circumstance in which she is not required to make an assessment is where she has not been supplied with sufficient information to enable her to be satisfied as to the identity of the person making the request, or to identify the processing in question. She has, however, a wide discretion in deciding the appropriate way in which to make an assessment, namely in such manner as appears to her to be appropriate. She may take into account the extent to which the request appears to raise a matter of substance, any undue delay in making the request, and whether or not the person making the request is entitled to make an application for subject access in respect of the personal data in question. The Commissioner must notify the data subject as to whether she has made an assessment and the result of the request. She may additionally notify him or her of any view formed or action taken as a result. (Further information is available from the Commissioner's office or on her website in publications entitled Handling assessments and Requests for assessment).
Enforcement notice
The Commissioner may serve an enforcement notice upon a data controller who has contravened or is contravening any of the Data Protection Principles (s.40). This will require it to take, or to refrain from taking, specified steps, or to refrain from processing any personal data (or personal data of a specified description) altogether, or from processing for a specified purpose or in a specified manner. Compliance with an enforcement notice should ensure compliance with the principle or principles in question. In deciding whether to serve it, the Commissioner must consider whether the contravention has caused or is likely to cause any person damage or distress.
The data controller may appeal against the enforcement notice. While the appeal is being determined, or until it is withdrawn, the data controller need not comply with the enforcement notice, which is, in effect, suspended pending the outcome of the appeal. The enforcement notice itself must not require any of its provisions to be complied with before the end of the period within which an appeal can be brought unless it contains a "statement of urgency". This is a statement saying that the Commissioner considers that there are special circumstances which mean that the notice should be complied with as a matter of urgency. If such a statement is included, the notice must not require its provisions to be complied with before the end of a seven-day period, beginning with the day on which the notice is served. However, the notice will not then be suspended if an appeal is lodged against it.
Information notice
The Commissioner may serve an information notice on a data controller detailing the information that she requires from it in order to respond to a request for an assessment, or to decide whether or not the data controller has complied with, or is complying with, the Data Protection Principles. The data controller must then provide the Commissioner with such information within a specified period of time.
Right of appeal from a notice
A person on whom an enforcement notice or information notice has been served may appeal to the Information Tribunal against the notice (s.48). Detailed rules in relation to the appeals procedure can be found in the Data Protection Tribunal (Enforcement Appeals) Rules 2000 (SI No.189). Any party to an appeal to the tribunal may appeal from the decision of the tribunal on a point of law to the appropriate court. This is the High Court of Justice in England, the Court of Session in Scotland, or the High Court of Justice in Northern Ireland.
Failure to comply with a notice
Failure to comply with an enforcement notice or an information notice is an offence under s.47 unless the person charged is able to show in its defence that it exercised due diligence to comply with the notice. It is also an offence to make a false statement, whether knowingly or recklessly, in purported compliance with an information notice.
Notification
Part III of the DPA replaced "registration" under the 1984 Act with "notification", and set out the legislative framework for the new notification scheme and register. The Data Protection (Notification and Notification Fees) Regulations 2000 (SI No.1088) ("the Notification Regulations") sets out the arrangements by which a data controller notifies under Part III.
By notification, a data controller informs the Commissioner of certain details about its processing of personal data, and the Commissioner uses these details in making an entry describing the processing in a register that is available to the public for inspection. A £35 fee is payable for notification and the period of notification is one year. A person who requires a certified copy of the particulars contained in any entry made in the register must pay a £2 fee to the Commissioner. Practical advice on how to notify can be found in the Notification handbook available from the Commissioner's Office or via the website.
Schedule 14 to the DPA deals with the transition from registration to notification. Under its provisions, data controllers who were registered under the 1984 Act when the DPA's notification rules came into force did not need to re-notify and were exempted from the prohibition against processing personal data without notification contained in s.17(1) of the DPA. This exemption was to last until the end of the registration period, or the date upon which a voluntary notification was made, whichever came first. An amendment to this provision by the FoIA (para. 8 of Schedule 6) extends the transitional exemption from notification to the end of the registration period, whether or not it ends after24 October 2001. All exempted persons will be deemed to have notified until the end of their registration period. Once this transitional exemption from notification ceases to apply, data controllers must notify in accordance with the DPA and with the Notification Regulations.
It is open to any data controller, who would otherwise be exempt under the notification provisions, to make a voluntary notification during the transitional period. A data controller who chooses to do so will lose its entitlement to exemption from the prohibition against processing personal data without notification. However, one advantage will be that the data controller will not then be subject to s.24 of the DPA which requires that, within 21 days of receiving a written request (a "registrable particulars request") from anyone, it must make available free of charge the same information that would be required under the notification provisions and Notification Regulations. Failure to comply with s.24 is an offence.
The following information ("the registrable particulars") is to be provided by the data controller upon notification:
its name and address;
the name and address of a UK representative where it has nominated one;
a description of the personal data being, or to be, processed and the category or categories of data subject to which they relate;
a description of the purpose or purposes for which the data are being processed or are to be processed;
a description of any recipient or recipients to whom the data controller intends to disclose data or may wish to disclose the data;
the name of, or a description of, any countries or territories outside the EEA to which the data controller transfers, intends to, or may wish to transfer the data; and
where the personal data are exempt from the prohibition against processing personal data without notification, and where the notification does not extend to such data, a statement of that fact.
In addition to the above, a data controller must also provide a general description of the security measures taken to protect the personal data. This information will not appear on the register.
Exceptions to the notification requirements
Two important exceptions to the notification requirements relate to personal data falling within the definition of "relevant filing system" (manual data) and personal data within non-automated "accessible records" (health records). Where the only personal data held by a data controller fall into either of these exempt categories, there is no requirement for a register entry except where the "assessable processing provisions" (see below) apply to the processing. Where data controllers hold both exempt data and personal data which do not fall into the exempt categories, they are required to notify in respect of the latter, but only need make a statement of the fact that they hold exempt data if the notification does not extend to those data.
Other exempt processing operations listed in the Notification Regulations include staff administration; advertising; accounts and record-keeping.
"Assessable processing" provisions
The "assessable processing" provisions relate to any processing that is particularly likely to cause substantial damage or substantial distress to data subjects or otherwise significantly prejudice their rights and freedoms. Under these provisions, data controllers who notify "assessable processing" will be subject to a preliminary assessment procedure, and there will be an absolute prohibition on beginning processing until a specified period (28 days in most cases) has elapsed. This is to allow the Commissioner time to investigate the processing's compliance with the DPA. The Commissioner will have no power to prevent assessable processing from commencing after the expiry of this time limit even if her preliminary assessment is an unfavourable one, but she will be able to prohibit it once it has commenced.
This procedure will apply only in limited cases to be specified in Regulations, and is expected to cover, for example, data-matching processes and processing by private investigators, but no such order has as yet been made by the secretary of state.
Offences relating to notification
It is a strict liability offence to process personal data without notification unless:
the national security exemptions apply;
the transitional exemptions apply;
the relevant filing system or accessible records exceptions apply;
the exempt processing operations within the Notification Regulations apply; or
the processing is of a description that the Notification Regulations provide is exempt from the requirements to notify on the ground that it is unlikely to prejudice the rights and freedoms of data subjects. No such provision was included in the Regulations.
The Notification Regulations also make it an offence to fail to notify the Commissioner of any changes to the register entry as soon as is practicable and, in any event, within 28 days from the date upon which the entry became inaccurate or incomplete, or in respect of measures taken with regard to compliance with the Seventh Data Protection Principle ("technical and organisational measures"). A defence is available to the data controller if it can show that it exercised all due diligence to comply with the duty.
It is also a strict liability offence to process data where the "assessable processing" provisions apply, unless the data controller has given a notification to the Commissioner, and 28 days has expired from when the Commissioner received the notification unless, before that time, the Commissioner sent a notice ("assessable processing notice") to the data controller of the extent to which she was of the opinion that the proposed processing was likely or unlikely to comply with the DPA's provisions.
A failure to comply with a registrable particulars request under s.24 of the DPA is a criminal offence. A defence is available where the data controller can show that it exercised all due diligence to comply with this request.
Proceedings for a criminal offence under the DPA in England and Wales can be brought by the Commissioner, or by or with the consent of the Director of Public Prosecutions. In Scotland, it is the Procurator Fiscal and, in Northern Ireland, the Commissioner, or by or with the consent of the DPP for Northern Ireland.
Most of the offences under the Act can be tried in a magistrates' court (summary trial) or the Crown Court (trial on indictment) in England and Wales, or in the sheriff court (summary trial) or High Court (indictment) in Scotland. Summary conviction of an offence may lead to a fine not exceeding the current statutory maximum (£5,000) or, on conviction on indictment, to an unlimited fine. The strict liability offences (see above) make the data controller criminally liable without the need to establish that it intended to commit the offence or that it knew that it was committing an offence.
Upon conviction of an offence under the DPA, the court may order any data apparently connected with the crime to be forfeited, destroyed or erased. Anyone other than the offender who claims to own the material may apply to the Court that such an order should not be made.
Personal liability where the data controller is a company or corporate body (s.61)
If a company or other corporation commits a criminal offence under the DPA, any director, manager, secretary or similar officer, or someone purporting to act in any such capacity, is personally guilty of the offence in addition to the corporate body if the offence was committed with his or her consent or connivance, or if the offence is attributable to any neglect on his or her part.
Government departments are not liable to prosecution under the DPA but individual civil servants may be prosecuted under certain circumstances.
Enforced subject access
Unless one of the statutory exceptions below apply, it is an offence for a person to require another person or a third party to supply him or her with "a relevant record" (see below), or to produce a relevant record to him or her in connection with the recruitment of that other person as an employee, the continued employment of that other person or any contract for the provision of services to him or her by that other person. Thus, enforced subject access, the method by which employers and prospective employers check criminal records or past contribution records of employees or job applicants by asking them to make a subject access request to the police and the Department for Social Security, and then to produce the results of that request as a condition of employment, is made illegal. The term "relevant record", defined in s.56 of the DPA, generally relates to records of cautions and criminal convictions and to certain social security records relating to the data subject.
The statutory exceptions to liability for such offences, whereby the above prohibition will not apply, are where the imposition of the requirement was required or authorised by law or a court order or where, in the particular circumstances, it was justified as being in the public interest. That a requirement would assist in the prevention or detection of crime is not justification in the public interest (s.56(3) and (4)).
Recognising that, in some circumstances, it may be proper for employers to know whether or not a job applicant has a criminal record and, if so, what it contains, the government set up the Criminal Records Bureau ("the CRB"). This is intended to put the disclosure of information about an individual's criminal history in England and Wales on a statutory footing and to put proper safeguards in place concerning the handling of this information. Separate provisions are to be implemented in Scotland and are to be administered by the Disclosure Bureau. The CRB opened to all organisations on 1 April 2002. We will examine the CRB in detail in Part 3 of this series when we deal with the Code of Practice. Note also that the practice of enforced subject access might still breach other provisions of the DPA, the Human Rights Act 1998 or the Rehabilitation of Offenders Act 1974.
|
The term "worker" is defined broadly in the Employment Practices Data Protection Code of Practice to include any individual who applies for a job with an employer, whether or not successful, and current and former employees and other atypical workers.
In respect of personal data held about workers, they have rights of subject access, rights to prevent processing, rights in relation to automated decision-making, rights to compensation and rights in relation to inaccurate data.
Under Schedule 7 to the DPA, workers have no rights of subject access to confidential references given by their employer. However, the Information Commissioner interprets this provision narrowly to mean that the exemption from subject access applies only up until the reference is received by the recipient data controller. No automatic exemption applies in that case and the usual subject access rules will apply.
The Commissioner's powers under the DPA include the power to serve an enforcement notice upon a data controller to bring about compliance with the DPA. However, this may be suspended pending any appeal the data controller may wish to bring against the notice.
Other powers include dealing with a request for an assessment made by a data subject, and serving an information notice on a data controller to require the information the Commissioner needs to respond to such a request or to decide whether or not the data controller is in breach of the DPA.
By notification, a data controller must supply certain "registrable particulars" to the Commissioner to be entered in a public register. The arrangements for notification are set out in the Notification Regulations. No notification is required where the only personal data held by a data controller are manual data and health records.
Offences under the DPA include processing without notification, failing to notify changes to the registrable particulars and failing to comply with an enforcement notice or information notice.
The Criminal Records Bureau opened to all organisations on 1 April 2002. Employers and prospective employers must now use its services, rather than resorting to enforced subject access, to check workers' criminal records or past contribution records. |
